cycbot | aad641cc5e653ce3804ad02a44de8cfa12f8cdb92d318a09c3cc03cfa666c360

General

Target

JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
Size

152KB
MD5

6a8536216035e4b8ab5a6270cbb07a8f
SHA1

28bde68516725f553d39372de75cb047503e23a0
SHA256

aad641cc5e653ce3804ad02a44de8cfa12f8cdb92d318a09c3cc03cfa666c360
SHA512

8c6ae0b4c5173ceddfd9a7d27aea46c7a0ccdcc8ce3c3ae1d77cfd1f793ba6101a8ee00a4ef0c41f00b903b4db0c14d1e7acc618eac631a837d4a52b0d226d6c
SSDEEP

3072:1IgId77xGL0ngrMFcqgQlODYbCP6rOjcgmNx11jf4DFt3QWVDaSNdHO:1bw08lOEbDRb1FfgtAvn

Score

10^/10

cycbot backdoor discovery persistence rat spyware stealer upx

Malware Config

Signatures

Cycbot
Cycbot is a backdoor and trojan written in C++..
backdoor rat cycbot
Cycbot family
cycbot

Detects Cycbot payload 5 IoCs

Cycbot is a backdoor and trojan written in C++.

resource	yara_rule
behavioral1/memory/2372-6-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2384-14-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2384-83-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/844-86-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot
behavioral1/memory/2384-190-0x0000000000400000-0x0000000000442000-memory.dmp	family_cycbot

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\conhost = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\conhost.exe"	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2384-2-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2372-5-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2372-6-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-14-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-83-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/844-85-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/844-86-0x0000000000400000-0x0000000000442000-memory.dmp	upx
behavioral1/memory/2384-190-0x0000000000400000-0x0000000000442000-memory.dmp	upx

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2372	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	30
PID 2384 wrote to memory of 2372	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	30
PID 2384 wrote to memory of 2372	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	30
PID 2384 wrote to memory of 2372	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	30
PID 2384 wrote to memory of 844	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	33
PID 2384 wrote to memory of 844	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	33
PID 2384 wrote to memory of 844	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	33
PID 2384 wrote to memory of 844	2384	JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe	33

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe startC:\Users\Admin\AppData\Roaming\dwm.exe%C:\Users\Admin\AppData\Roaming
  2⤵
  - System Location Discovery: System Language Discovery
  PID:2372
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a8536216035e4b8ab5a6270cbb07a8f.exe startC:\Users\Admin\AppData\Local\Temp\csrss.exe%C:\Users\Admin\AppData\Local\Temp
  2⤵
  - System Location Discovery: System Language Discovery
  PID:844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials from Password Stores

1

T1555

Credentials from Web Browsers

1

T1555.003

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\4D16.DCD

Filesize
1KB

MD5
bab805bfdf09ec723ccf09a0f687ac3b

SHA1
8f67c74441eaea95d0aaf52af00a9dfd747f5048

SHA256
3d2dbd89f61c2061548dcf704790f0a953c53cb3b54565885a869af253223461

SHA512
6579452b011f01710d056b6364bfa8d30358467f9838d83c175ead12529d4633f0b86a8780e4a6a69c4f0646bf30b995145618421361acd097201fba0c875f8c

Download Submit
C:\Users\Admin\AppData\Roaming\4D16.DCD

Filesize
600B

MD5
5afc2492b85146718fa83cd7b44bfeb6

SHA1
f7188376c1015c6877321bfcc39be1da3f3488d8

SHA256
6bdebd49423d13269db98e8470f3d8704624abf8a0b3ceab858dc74d4fb2ef2a

SHA512
bce0f3fa48b01f9151df0e898eda982d1a2211364030eea075605352d517e06286bde0c7b4d25bbce9b4d517d391f8c37c2518d48b4009ee64ef42d91378f46d

Download Submit
C:\Users\Admin\AppData\Roaming\4D16.DCD

Filesize
996B

MD5
13bd40f311a75f8ea3ae08f2a23ca83e

SHA1
d3bb001529c51cef44849e387fba1682a430df06

SHA256
6337598414cc534f8bd283e9cea4af1c863278aeac49ad12b0dd5fe825dc0589

SHA512
498c1512376765c74ded0f3753c8458c076c773b2a5212a6cad27d0d552d127afdf5ed4a4acffd064f708d48b7d547c1e38689bcd456371b4ef69e80c4d2d576

Download Submit
memory/844-85-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/844-86-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-5-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2372-6-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-1-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-2-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-14-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-83-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/2384-190-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads